Daily Ruleset Update Summary
Daily Ruleset Update Summary 2022/03/31

[***] Summary: [***]

22 new OPEN, 27 new PRO (22 + 5). Various Sring4Shell, Lightning
Stealer, Eternity Stealer, Mustang Panda APT.

Thanks 0xrb, @James_inthe_box, @TuringAlex, @Trellix, @3xp0rtblog
and @wdormann

We discovered an infrastructure issue that caused a disruption to
portal feedback being received, it has since been resolved.
Please share issues, feedback, and requests at
https://feedback.emergingthreats.net/feedback

[+++] Added rules: [+++]

Open:

2035670 - ET EXPLOIT Possible Spring Cloud Connector RCE Inbound
(CVE-2022-22963) (exploit.rules)
2035671 - ET INFO Common JSP WebShell String Observed in HTTP Header
M1 (info.rules)
2035672 - ET INFO Common JSP WebShell String Observed in HTTP Header
M2 (info.rules)
2035673 - ET INFO Common JSP WebShell String Observed in HTTP Header
M3 (info.rules)
2035674 - ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 1
Pattern Set Inbound (Unassigned) (exploit.rules)
2035675 - ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 2
Suffix Set Inbound (Unassigned) (exploit.rules)
2035676 - ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 3
Directory Set Inbound (Unassigned) (exploit.rules)
2035677 - ET EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 4
Prefix Set Inbound (Unassigned) (exploit.rules)
2035678 - ET EXPLOIT Possible SpringCore RCE/Spring4Shell Inbound
(Unassigned) (exploit.rules)
2035679 - ET MALWARE MSIL/Lightning Stealer Exfil Activity (malware.rules)
2035680 - ET MALWARE Observed MSIL/Lightning Stealer Domain (panelss
.xyz in TLS SNI) (malware.rules)
2035681 - ET HUNTING Terse Request to note .youdao .com - Possible
Download (hunting.rules)
2035682 - ET MALWARE MustangPanda APT Dropper Activity (POST) (malware.rules)
2035683 - ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup
(eterprx .net) (malware.rules)
2035684 - ET MALWARE Win32/Eternity Stealer CnC Domain in DNS Lookup
(eternitypr .net) (malware.rules)
2035685 - ET MALWARE Observed Win32/Eternity Stealer Domain
(eternitypr .net in TLS SNI) (malware.rules)
2035686 - ET MALWARE Observed Win32/Eternity Stealer Domain (eterprx
.net in TLS SNI) (malware.rules)
2035687 - ET MALWARE Win32/Eternity Stealer Activity (POST) (malware.rules)
2035688 - ET PHISHING Successful Generic Social Media Credential
Phish 2022-03-31 (phishing.rules)
2035689 - ET MALWARE Win32/PlugX/Talisman Activity (POST) (malware.rules)
2035690 - ET INFO Custom Logo Domain in DNS Lookup (seeklogo .com)
(info.rules)
2035691 - ET INFO Observed Custom Logo Domain (seeklogo .com in TLS
SNI) (info.rules)

Pro:

2851368 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-31 1) (coinminer.rules)
2851369 - ETPRO COINMINER CoinMiner Known Malicious Stratum Authline
(2022-03-31 2) (coinminer.rules)
2851370 - ETPRO PHISHING Generic Social Media Credential Phish
Landing Page M1 2022-03-31 (phishing.rules)
2851371 - ETPRO PHISHING Generic Social Media Phish Landing Page M2
2022-03-31 (phishing.rules)
2851372 - ETPRO PHISHING Generic Social Media Credential Phish
Landing Page M3 2022-03-31 (phishing.rules)

[///] Modified active rules: [///]

2019833 - ET MALWARE Possible Dyre SSL Cert (fake state) (malware.rules)
2029995 - ET MALWARE Suspicious Long NULL DNS Request - Possible DNS
Tunneling (malware.rules)
2035552 - ET MALWARE Mustang Panda APT Related Activity (GET) (malware.rules)
2807762 - ETPRO MALWARE Win32/Killav.CM Checkin (malware.rules)

Date:
Summary title:
22 new OPEN, 27 new PRO (22 + 5). Various Sring4Shell, Lightning Stealer, Eternity Stealer, Mustang Panda APT.